Remember the "opensea phishing attack"?

Exactly 2years today millions of dollars were stolen including several apes.

Let's talk about what happened and how to never fall victim.

Feb 18 2022 4:14pm est, @opensea announced their new upgraded contract is live.

OS instructed users on how to migrate their listings to new contract, they were given 7days to do so

How hacker took advantage:

- Deployed a contract 28 days prior to the actual theft

- Sent users emails urging them to move their NFTs from an old os smart contract to a new one.

- Gathers signatures of OS users (through phishing email) for private sale of NFTs

- Execute plan same day as os contract coming live.

When user sign this fake contract it initiates a private sale of NFTs to the hacker for 0e.

Hacker made close to $2M from the attack, returned some of the stolen NFTs

Market:

Panic and confusion in the market.

Users blamed OS new contract, but it was the phishing link clicked and signed days prior, not linked to OS website.

Hacker only chose to execute plan same day as OS new contract coming live.

Lesson:

Assume all links are bad for you, especially links in inbox

One click can mean the world, always double check before you sign anything.

From time to time, check your token approvals either on etherscan or @RevokeCash , revoke approvals you think is sus.

Extensions like @wallet_guard, @PocketUniverseZ simulate transaction before you sign

@MintDefense even block scam sites.

Using these might help reduce your risk.

Thank you for reading.

Make sure to subscribe and follow me on X @zedweb3


Decoding Web3 with ZED logo
Subscribe to Decoding Web3 with ZED and never miss a post.
  • Loading comments...